EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Generate Key Pair Directly On a usb token in version (7.0.155)

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#12165
Posted: 01/24/2010 07:36:26
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

We have another problem with generating a self signed certificate on token that is more urgent.The token that we try on is LunaCA3.We get an error before generating key pair on token :
"PKCS#11 error CKR_GENERAL_ERROR in function C_GenerateKeyPair"
#12169
Posted: 01/25/2010 09:10:04
by Ken Ivanov (EldoS Corp.)

1) Can you please specify the model of the token that produces the "secret key not found" error?

2) Regarding the LunaCA3 token, it is possible (unfortunately, we do not have this very model to check in our conditions) that the token just does not support on-board key pair generation. Did you have a chance to succeed in token-based key generation with this token using some other software (or probably key generation feature is referenced in the token manual)?
#12176
Posted: 01/26/2010 02:17:55
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

1) This is ePass2000 FT11 Token
2) I can generate key pair on this token by other software. I checked your solution for generating certificate on by an existing key pair and it has worked. but i dont know how i can assign the generated certificate to key pair. actually i cant sign any content or data by this certificate. please tell me how i can do it? it is more urgent than choice 1.
Regards
Reza
#12177
Posted: 01/26/2010 02:22:10
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

I added generated certificate by storage.add() function. but the certificate did not assigned to the key pair.
#12180
Posted: 01/26/2010 10:05:09
by Ken Ivanov (EldoS Corp.)

1) Thank you. We will try to reproduce the issue in our conditions.
2) Let's continue the discussion in either forum or helpdesk (I'd suggest to use the forum, if you do not mind, as the solution of your task might also be useful for other users).

Theory.

There is no unified (100% working) way to bind particular certificate object to a key or keypair objects stored on the token, as PKCS#11 standard does not strictly define such a way. However, the standard *recommends* to use CKA_ID attribute for this purpose. The bad thing here is that some token models require special handling such as using CKA_SUBJECT or CKA_LABEL attributes for this purpose.

Practice.

Please pass the ID of the private key object to the Add() method when importing the certificate to the token to bind the certificate to the appropriate private key object:
Code
var
  Handle : DWORD;
  KeyObj : TElPKCS11KeyObject; // SBPKCS11Base namespace
  ID : BufferType; // byte[] in .NET edition
...
  // generating the certificate
  Cert.SetKeyMaterial(KeyMaterial);
  Cert.PreserveKeyMaterial := true;
  Cert.Generate(SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION, 0);

  // searching for the needed key object
  Handle := KeyMaterial.KeyHandle;
  KeyObj := nil;
  for I := 0 to Storage.ObjectCount - 1 do
    if (Storage.Objects[I].Handle = Handle) and (Storage.Objects[I] is TElPKCS11KeyObject) then
    begin
      KeyObj := TElPKCS11KeyObject(Storage.Objects[I]); // get_Objects(i) in C#
      Break;
    end;
  if KeyObj <> nil then // != null in C#
    ID := KeyObj.KeyID
  else
    ID := EmptyBuffer; // ID = null in .NET edition

  // importing the certificate with the appropriate ID
  Storage.Add(0, Cert, false, true, ID, 'My certificate');
  ...
#12211
Posted: 01/27/2010 07:18:58
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

Hi, Thanks a lot . It works very well. Thanks for supporting.
What about the key generation on lunaCA3, Is it possible to generate key pair on this token by secure black box or not?
#12218
Posted: 01/27/2010 09:57:02
by Ken Ivanov (EldoS Corp.)

Quote
What about the key generation on lunaCA3, Is it possible to generate key pair on this token by secure black box or not?

It depends on whether the token supports on-board key generation (C_GenerateKeyPair function calls). As LunaCA3 homepage indicates that the token does support key generation natively, the problem might be caused by some generation parameter not understood by the token. I will prepare a small testing tool for you and post it here a bit later.
#12224
Posted: 01/27/2010 15:11:33
by Ken Ivanov (EldoS Corp.)

I have posted the tool to your Helpdesk ticket (as forum will not accept it due to its size).
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 5878 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!